hmm depends on the security setup I believe. For instance I have 2 jars...
one (lets call it secure.jar) has beans which can only be accessed by authorized users.
the other has beans which anyone can access. (lets call it insecure.jar)
what i do in secure.jar is add a jboss.xml with security information, and add method permissions. I believe, that in this case NOONE will be allowed access if you do not decalre method permissions. (since it has a security context and the permission is blank... makes sense. I havent tried this one).
In insecure.jar i do NOT add any jboss.xml so method permissions are of no consequence, there is no way to tell WHO is accessing the bean. I know in this case anyone can. Since I have a bean just like this. No roles, so no way to set permissions.
Best way to tell in the other case is to try it and see what happens. :)